All API calls, be it REST or Python ones, return status codes that may be additionally broken down into sub-statuses.

HTTP-level status codes are used only to signal 200 OK, 400 Bad request and 403 Forbidden - other HTTP status codes
are not used because SSO functionality, through its Python API, can be exposed via protocols that may not have
an intrinsic notion of status codes, e.g. ZeroMQ or WebSockets.

Note that in certain cases the publicly returned sub-status may be followed by more specific information in server logs.
For instance, a generic E005001 ‘You are not allowed to access this resource’ may be accompanied by
E001001 ‘Invalid username’ yet this message is not returned to the caller so as not to reveal too much information to
potential adversaries.

Each sub-status starts with a prefix, ‘E’ indicates an error and ‘W’ stands for a warning.

In Python, all of status codes can be access through ‘from zato.sso import status_code’.